OAuth Working Group N. Sakimura, Ed.
Internet-Draft Nomura Research Institute
Intended status: Standards Track J. Bradley
Expires: November 18, 2015 Ping Identity
N. Agarwal
Google
May 17, 2015
Proof Key for Code Exchange by OAuth Public Clientsdraft-ietf-oauth-spop-11
Abstract
OAuth 2.0 public clients utilizing the Authorization Code Grant are
susceptible to the authorization code interception attack. This
specification describes the attack as well as a technique to mitigate
against the threat.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 18, 2015.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Sakimura, et al. Expires November 18, 2015 [Page 1]

Internet-Draft oauth_pkce May 2015
The operating systems must allow a custom URI schemes to be
registered by multiple applications.
2) The OAuth 2.0 authorization code grant is used.
3) The attacker has access to the client id. All native app client-
instances use the same client id. No client secret is used (since
public clients cannot keep their secrets confidential.)
4) The attacker (via the installed app) is able to observe responses
from the authorization endpoint. As a more sophisticated attack
scenario the attacker is also able to observe requests (in
addition to responses) to the authorization endpoint. The
attacker is, however, not able to act as a man-in-the-middle.
While this is a long list of pre-conditions the described attack has
been observed in the wild and has to be considered in OAuth 2.0
deployments.
While the OAuth 2.0 Threat Model Section 4.4.1 [RFC6819] describes
mitigation techniques they are, unfortunately, not applicable since
they rely on a per-client instance secret or aper client instance
redirect URI.
To mitigate this attack, this extension utilizes a dynamically
created cryptographically random key called 'code verifier'. A
unique code verifier is created for every authorization request and
its transformed value, called 'code challenge', is sent to the
authorization server to obtain the authorization code. The
authorization "code" obtained is then sent to the token endpoint with
the 'code verifier' and the server compares it with the previously
received request code so that it can perform the proof of possession
of the 'code verifier' by the client. This works as the mitigation
since the attacker would not know this one-time key.
1.1. Protocol FlowSakimura, et al. Expires November 18, 2015 [Page 4]

Internet-Draft oauth_pkce May 2015
+-------------------+
| Authz Server |
+--------+ | +---------------+ |
| |--(A)- Authorization Request ---->| | |
| | + t(code_verifier), t | | Authorization | |
| | | | Endpoint | |
| |<-(B)---- Authorization Code -----| | |
| | | +---------------+ |
| Client | | |
| | | +---------------+ |
| |--(C)-- Access Token Request ---->| | |
| | + code_verifier | | Token | |
| | | | Endpoint | |
| |<-(D)------ Access Token ---------| | |
+--------+ | +---------------+ |
+-------------------+
Figure 2: Abstract Protocol Flow
This specification adds additional parameters to the OAuth 2.0
Authorization and Access Token Requests, shown in abstract form in
Figure 1.
A. The client creates and records a secret named the "code_verifier",
and derives a transformed version "t(code_verifier)" (referred to
as the "code_challenge") which is sent in the OAuth 2.0
Authorization Request, along with the transformation method "t".
B. The Authorization Endpoint responds as usual, but records
"t(code_verifier)" and the transformation method.
C. The client then sends the code in the Access Token Request as
usual, but includes the "code_verifier" secret generated at (A).
D. The authorization server transforms "code_verifier" and compares
it to "t(code_verifier)" from (B). Access is denied if they are
not equal.
An attacker who intercepts the Authorization Grant at (B) is unable
to redeem it for an Access Token, as they are not in possession of
the "code_verifier" secret.
2. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in Key
words for use in RFCs to Indicate Requirement Levels [RFC2119]. If
these words are used without being spelled in uppercase then they are
to be interpreted with their normal natural language meanings.
Sakimura, et al. Expires November 18, 2015 [Page 5]

Internet-Draft oauth_pkce May 2015
This specification uses the Augmented Backus-Naur Form (ABNF)
notation of [RFC5234].
STRING denotes a sequence of zero or more ASCII [RFC0020] characters.
OCTETS denotes a sequence of zero or more octets.
ASCII(STRING) denotes the octets of the ASCII [RFC0020]
representation of STRING where STRING is a sequence of zero or more
ASCII characters.
BASE64URL-ENCODE(OCTETS) denotes the base64url encoding of OCTETS,
per Section 3 producing a STRING.
BASE64URL-DECODE(STRING) denotes the base64url decoding of STRING,
per Section 3, producing a sequence of octets.
SHA256(OCTETS) denotes a SHA2 256bit hash [RFC6234] of OCTETS.
3. Terminology
In addition to the terms defined in OAuth 2.0 [RFC6749], this
specification defines the following terms:
code verifier A cryptographically random string that is used to
correlate the authorization request to the token request.
code challenge A challenge derived from the code verifier that is
sent in the authorization request, to be verified against later.
Base64url Encoding Base64 encoding using the URL- and filename-safe
character set defined in Section 5 of [RFC4648], with all trailing
'=' characters omitted (as permitted by Section 3.2 of [RFC4648])
and without the inclusion of any line breaks, whitespace, or other
additional characters. (See Appendix A for notes on implementing
base64url encoding without padding.)
4. Protocol4.1. Client creates a code verifier
The client first creates a code verifier, "code_verifier", for each
OAuth 2.0 [RFC6749] Authorization Request, in the following manner:
code_verifier = high entropy cryptographic random STRING using the
Unreserved Characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"
from Sec 2.3 of [RFC3986], with a minimum length of 43 characters and
a maximum length of 128 characters.
ABNF for "code_verifier" is as follows.
Sakimura, et al. Expires November 18, 2015 [Page 6]

Internet-Draft oauth_pkce May 2015
code-verifier = 43*128unreserved
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
ALPHA = %x41-5A / %x61-7A
DIGIT = %x30-39
NOTE: code verifier SHOULD have enough entropy to make it impractical
to guess the value. It is RECOMMENDED that the output of a suitable
random number generator be used to create a 32-octet sequence. The
Octet sequence is then base64url encoded to produce a 43-octet URL
safe string to use as the code verifier.
4.2. Client creates the code challenge
The client then creates a code challenge, "code_challenge", derived
from the "code_verifier" by using one of the following
transformations on the "code_verifier":
plain "code_challenge" = "code_verifier"
S256 "code_challenge" = BASE64URL-
ENCODE(SHA256(ASCII("code_verifier")))
It is RECOMMENDED to use the S256 transformation when possible.
ABNF for "code_challenge" is as follows.
code-challenge = 43*128unreserved
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
ALPHA = %x41-5A / %x61-7A
DIGIT = %x30-39
4.3. Client sends the code challenge with the authorization request
The client sends the code challenge as part of the OAuth 2.0
Authorization Request (Section 4.1.1 of [RFC6749].) using the
following additional parameters:
code_challenge REQUIRED. Code challenge.
code_challenge_method OPTIONAL, defaults to "plain". Code verifier
transformation method, "S256" or "plain".
4.4. Server returns the code
When the server issues the "code" in the Authorization Response, it
MUST associate the "code_challenge" and "code_challenge_method"
values with the "code" so it can be verified later.
Sakimura, et al. Expires November 18, 2015 [Page 7]

Internet-Draft oauth_pkce May 2015
Typically, the "code_challenge" and "code_challenge_method" values
are stored in encrypted form in the "code" itself, but could
alternatively be stored on the server, associated with the code. The
server MUST NOT include the "code_challenge" value in client requests
in a form that other entities can extract.
The exact method that the server uses to associate the
"code_challenge" with the issued "code" is out of scope for this
specification.
4.4.1. Error Response
If the server requires PKCE, and the client does not send the
"code_challenge" in the request, the authorization endpoint MUST
return the authorization error response with "error" value set to
"invalid_request". The "error_description" or the response of
"error_uri" SHOULD explain the nature of error, e.g., code challenge
required.
If the server supporting PKCE does not support the requested
transform, the authorization endpoint MUST return the authorization
error response with "error" value set to "invalid_request". The
"error_description" or the response of "error_uri" SHOULD explain the
nature of error, e.g., transform algorithm not supported.
If the client is capable of using "S256", it MUST use "S256", as
"S256" is Mandatory To Implement (MTI) on the server. Clients MAY
use "plain" only if they cannot support "S256" for some technical
reason and knows that the server supports "plain".
4.5. Client sends the code and the secret to the token endpoint
Upon receipt of the "code", the client sends the Access Token Request
to the token endpoint. In addition to the parameters defined in the
OAuth 2.0 Access Token Request (Section 4.1.3 of [RFC6749]), it sends
the following parameter:
code_verifier REQUIRED. Code verifier
4.6. Server verifies code_verifier before returning the tokens
Upon receipt of the request at the Access Token endpoint, the server
verifies it by calculating the code challenge from received
"code_verifier" and comparing it with the previously associated
"code_challenge", after first transforming it according to the
"code_challenge_method" method specified by the client.
Sakimura, et al. Expires November 18, 2015 [Page 8]

Internet-Draft oauth_pkce May 2015
If the "code_challenge_method" from Section 4.2 was "S256", the
received "code_verifier" is hashed by SHA-256, then base64url
encoded, and then compared to the "code_challenge". i.e.,
BASE64URL-ENCODE(SHA256(ASCII("code_verifier" ))) == "code_challenge"
If the "code_challenge_method" from Section 4.2 was "plain", they are
compared directly. i.e.,
"code_verifier" == "code_challenge".
If the values are equal, the Access Token endpoint MUST continue
processing as normal (as defined by OAuth 2.0 [RFC6749]). If the
values are not equal, an error response indicating "invalid_grant" as
described in section 5.2 of [RFC6749] MUST be returned.
5. Compatibility
Server implementations of this specification MAY accept OAuth2.0
Clients that do not implement this extension. If the "code_verifier"
is not received from the client in the Authorization Request, servers
supporting backwards compatibility SHOULD revert to a normal OAuth
2.0 [RFC6749] protocol.
As the OAuth 2.0 [RFC6749] server responses are unchanged by this
specification, client implementations of this specification do not
need to know if the server has implemented this specification or not,
and SHOULD send the additional parameters as defined in Section 3. to
all servers.
6. IANA Considerations
This specification makes a registration request as follows:
6.1. OAuth Parameters Registry
This specification registers the following parameters in the IANA
OAuth Parameters registry defined in OAuth 2.0 [RFC6749].
o Parameter name: code_verifier
o Parameter usage location: Access Token Request
o Change controller: IESG
o Specification document(s): this document
o Parameter name: code_challenge
o Parameter usage location: Authorization Request
o Change controller: IESG
o Specification document(s): this document
Sakimura, et al. Expires November 18, 2015 [Page 9]

Internet-Draft oauth_pkce May 2015
o Parameter name: code_challenge_method
o Parameter usage location: Authorization Request
o Change controller: IESG
o Specification document(s): this document
6.2. PKCE Code Challenge Method Registry
This specification establishes the PKCE Code Challenge Method
registry.
Additional code_challenge_method types for use with the authorization
endpoint are registered with a Specification Required ([RFC5226])
after a two-week review period on the oauth-ext-review@ietf.org
mailing list, on the advice of one or more Designated Experts.
However, to allow for the allocation of values prior to publication,
the Designated Expert(s) may approve registration once they are
satisfied that such a specification will be published.
Registration requests must be sent to the oauth-ext-review@ietf.org
mailing list for review and comment, with an appropriate subject
(e.g., "Request for PKCE code_challenge_method: example").
Within the review period, the Designated Expert(s) will either
approve or deny the registration request, communicating this decision
to the review list and IANA. Denials should include an explanation
and, if applicable, suggestions as to how to make the request
successful.
IANA must only accept registry updates from the Designated Expert(s)
and should direct all requests for registration to the review mailing
list.
6.2.1. Registration Template
Code Challenge Method Parameter Name:
The name requested (e.g., "example"). Because a core goal of this
specification is for the resulting representations to be compact,
it is RECOMMENDED that the name be short -- not to exceed 8
characters without a compelling reason to do so. This name is
case-sensitive. Names may not match other registered names in a
case-insensitive manner unless the Designated Expert(s) state that
there is a compelling reason to allow an exception in this
particular case.
Change Controller:
For Standards Track RFCs, state "IESG". For others, give the name
of the responsible party. Other details (e.g., postal address,
email address, home page URI) may also be included.
Specification Document(s):
Sakimura, et al. Expires November 18, 2015 [Page 10]

Internet-Draft oauth_pkce May 2015
Reference to the document(s) that specify the parameter,
preferably including URI(s) that can be used to retrieve copies of
the document(s). An indication of the relevant sections may also
be included but is not required.
6.2.2. Initial Registry Contents
This specification registers the Code Challenge Method Parameter
names defined in Section 4.2 in this registry.
o Code Challenge Method Parameter Name: "plain"
o Change Controller: IESG
o Specification Document(s): Section 4.2 of [[ this document ]]
o Code Challenge Method Parameter Name: "S256"
o Change Controller: IESG
o Specification Document(s): Section 4.2 of [[ this document ]]
7. Security Considerations7.1. Entropy of the code verifier
The security model relies on the fact that the code verifier is not
learned or guessed by the attacker. It is vitally important to
adhere to this principle. As such, the code verifier has to be
created in such a manner that it is cryptographically random and has
high entropy that it is not practical for the attacker to guess. It
is RECOMMENDED that the output of a suitable random number generator
be used to create a 32-octet sequence.
7.2. Protection against eavesdroppers
Clients MUST NOT try down grading the algorithm after trying "S256"
method. If the server is PKCE compliant, then "S256" method works.
If the server does not support PKCE, it does not generate error.
Only the time that the server returns that it does not support "S256"
is there is a MITM trying the algorithm downgrade attack.
"S256" method protects against eavesdroppers observing or
intercepting the "code_challenge". If the "plain" method is used,
there is a chance that it will be observed by the attacker on the
device. The use of "S256" protects against it.
If "code_challenge" is to be returned inside authorization "code" to
achieve a stateless server, it has to be encrypted in such a manner
that only the server can decrypt and extract it.
Sakimura, et al. Expires November 18, 2015 [Page 11]

Internet-Draft oauth_pkce May 20157.3. Entropy of the code_verifier
The client SHOULD create a code_verifier with a minimum of 256bits of
entropy. This can be done by having a suitable random number
generator create a 32-octet sequence. The Octet sequence can then be
base64url encoded to produce a 43-octet URL safe string to use as a
code_challenge that has the required entropy.
Salting is not used in the production of the code_verifier, as the
code_chalange contains sufficient entropy to prevent brute force
attacks. Concatenating a publicly known value to a code_challenge
(with 256 bits of entropy) and then hashing it with SHA256 would
actually reduce the entropy in the resulting code_verifier making it
easier for an attacker to brute force.
While the S256 transformation is like hashing a password there are
important differences. Passwords tend to be relatively low entropy
words that can be hashed offline and the hash looked up in a
dictionary. By concatenating a unique though public value to each
password prior to hashing, the dictionary space that an attacker
needs to search is greatly expanded.
Modern graphics processors now allow attackers to calculate hashes in
real time faster than they could be looked up from a disk. This
eliminates the value of the salt in increasing the complexity of a
brute force attack for even low entropy passwords.
7.4. OAuth security considerations
All the OAuth security analysis presented in [RFC6819] applies so
readers SHOULD carefully follow it.
7.5. TLS security considerations
Curent security considerations can be found in Recommendations for
Secure Use of TLS and DTLS [BCP195]. This supersedes the TLS version
recommendations in OAuth 2.0 [RFC6749].
8. Acknowledgements
The initial draft of this specification was created by the OpenID AB/
Connect Working Group of the OpenID Foundation.
This specification is the work of the OAuth Working Group, which
includes dozens of active and dedicated participants. In particular,
the following individuals contributed ideas, feedback, and wording
that shaped and formed the final specification:
Sakimura, et al. Expires November 18, 2015 [Page 12]

Internet-Draft oauth_pkce May 2015
The code_verifier is then hashed via the SHA256 hash function to
produce:
[19, 211, 30, 150, 26, 26, 216, 236, 47, 22, 177, 12, 76, 152, 46,
8, 118, 168, 120, 173, 109, 241, 68, 86, 110, 225, 137, 74, 203,
112, 249, 195]
Encoding this octet sequence as a base64url provides the value of the
code_challenge:
E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM
The authorization request includes:
code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM
&code_challange_method=S256
The Authorization server then records the code_challenge and
code_challenge_method along with the code that is granted to the
client.
in the request to the token_endpoint the client includes the code
received in the authorization response as well as the additional
paramater:
code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
The Authorization server retrieves the information for the code
grant. Based on the recorded code_challange_method being S256, it
then hashes and base64url encodes the value of code_verifier.
BASE64URL-ENCODE(SHA256(ASCII("code_verifier" )))
The calculated value is then compared with the value of
"code_challenge":
BASE64URL-ENCODE(SHA256(ASCII("code_verifier" ))) == code_challenge
If the two values are equal then the Authorization server can provide
the tokens as long as there are no other errors in the request. If
the values are not equal then the request must be rejected, and an
error returned.
Authors' Addresses
Sakimura, et al. Expires November 18, 2015 [Page 17]